Unpatched Adobe ColdFusion servers at data clearinghouse used by law enforcement was point of entry for Russian thieves

InfoWorld|Oct 2, 2013

SSNDOB, the Russian hacker group that over the course of many months stole massive amounts of personal data from firms like LexisNexis and Dun & Bradstreet, apparently also infiltrated the servers of the National White Collar Crime Center (NW3C), according to security researcher Brian Krebs.

Last week, Krebs reported how SSNDOB broke into a number of business data brokers and set up botnets to look up customers' personal data, which it then sold via its own Web portal.

On Tuesday, Krebs followed up that story with more details about how SSNDOB exploited unpatched server software to perform a similar digital ransacking on the NW3C, which Krebs describes as "a congressionally-funded non-profit organization that provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of cybercrime."

While the NW3C doesn't have any actual law-enforcement powers, it works as a clearinghouse for data that can be used by law enforcement. NW3C's analysts help the FBI to run the Internet Crime Complain Center (IC3), where those victimized by online crime can report it. Datasets from the IC3 were among those stolen by SSNDOB, which was able to conduct its operations undetected on NW3C servers for approximately 11 weeks (May 28 through Aug. 17).

According to Krebs, the stolen IC3 data included some 2.659 million consumer complaint records spanning from May 8, 2000, through Jan. 22, 2003. One such record, presented by Krebs with some redaction, involved someone reporting how they were hit with a fake FBI ransom scam after browsing an adult website.

The IC3 data appears to have only been the most obvious theft. Other databases accessed by SSNDOB included "records which appear to be related to ongoing criminal and possibly civil cases."

When Krebs consulted with another security analyst, Alex Holden of Hold Security, Holden noted that a number of the queries used from the NW3C might have been used to identify law enforcement officers involved with the NW3C.

"One of the more interesting lookups the attackers ran," Krebs wrote, "instructed the NW3C's database to produce a list of foreign law enforcement agents who were working active criminal cases with the organization."

The most embarrassing aspect of these attacks is how they were executed via an exploit and a bug that in theory should have been fixed for quite some time.

Krebs explained that "all of the exploits appear to attack vulnerabilities that are fixed in the most recent versions of Adobe ColdFusion." Three of the four exploits used were patched by Adobe in January 2013; the fourth in 2010.

Apparently a chronic problem with ColdFusion setups is how "so many people install and set it up without following any of Adobe's hardening guidelines," ColdFusion expert Rob Brooks-Bilson said.

Gary Alterson, senior director of Risk and Advisory Services at security consulting firm Neohapsis, pointed out that patch and hardening issues aside, there didn't seem to be any behavioral component to NW3C's security.

"[I] found it interesting that the attackers were able to dump an entire database without being authorized to do so," Alterson said. "Dumping a full production database isn't normal behavior, and even if it were OK, it shouldn't be done without a change ticket. So the dumping of databases across the environment should have raised a flag somewhere," he added.